[gnutls-help] certtool - key encipherment (X.509v3 extension)

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Dec 14 09:43:37 CET 2015

On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <tobbe.se at gmail.com> wrote:
> Hello!
> I'm trying to create a certificate that contains the necessary options to
> let libvirtd service work to as intended with remote control over TLS.
> I have created my own CA using certtool and the problem that I'm having is
> with the server certificate.
> The template that I'm using when I create the CSR is as follows:
> organization = "Local libvirtd"
> unit = "libvirtd server"
> cn = "oink"
> country = "SE"
> state = "Sweden"
> expiration_days = 1095
> tls_www_server
> signing_key
> encryption_key
> I've also tried to make certtool honour the extensions which it does to a
> certain degree. The "encryption_key" is not honored even if I try to enforce
> it using the "honour_crq_extensions" option as well as using the above
> template when I sign the CSR with the CA. The resulting PEM-encoded
> certificate generates the following error during startup of libvirtd:

 Could you send the command set that reproduces that? Note however,
that if you have access to the CA key you don't need to go through a
CSR to generate a certificate. You can generate it directly from the


More information about the Gnutls-help mailing list